Jobos (16th April 2013)
Time for another update.
Java SE 7 Update 21
Download (Windows: 32-bit, 64-bit / OS X: 64-bit) / Release Notes / Security Advisory
Note. According to the release notes, this update will expire on 18th July 2013.
Due to the severity of the vulnerabilities fixed in this Critical Patch Update, Oracle recommends that these fixes be applied as soon as possible.Oracle today released two Critical Patch Updates: the April 2013 Critical Patch Update and the April 2013 Critical Patch Update for Java SE. The previous blog entry provided a summary of the April 2013 Critical Patch Update and this entry will discuss the content of the Critical Patch Update for Java SE.
The April 2013 Critical Patch Update for Java SE provides 42 new security fixes. 39 of the vulnerabilities fixed in this Critical Patch Update are remotely exploitable without authentication. The maximum CVSS Base Score for these vulnerabilities is 10.0, and this score affect 19 different vulnerabilities.
Out of the 42 vulnerabilities, only 2 can affect server deployments of Java. Server exploitation can only occur as a result of these bugs when malicious data is supplied into specific APIs on the server (e.g., through a web service), and one of these bugs actually require local access to be exploited.
As usual, Oracle recommends that this Critical Patch Update be applied as soon as possible. Desktop users can install this new version from java.com or through the Java Autoupdate. (Source)
Last edited by Arthur; 16th April 2013 at 10:41 PM.
Jobos (16th April 2013)
Only downloaded 7u17 and 6u43 last week!!
Tempted to just remove Java, do many sites actually use it these days?
I removed it ages ago.
Isn't it GOOD that they are starting to take security more seriously and releasing regular updates - like windows does nowdays. ?
Urgh.. Will look at this later
Wish Oracle would release CABs for SCUP in the same way Adobe does for Flash & Reader.
hardly anyone installs the updates. Oracle need to go back to the drawing board and design the Java RE to be secure from the start (like OpenBSD), instead of treating it as an afterthought.
Security Intelligence Report and the Secunia Vulnerability Review). Adobe also started a similar initiative in 2009 with Reader and Acrobat and is why malware writers largly focus on Java exploits because it is such an easy target.
"It's more expensive to create a Flash exploit than a Java one," Vupen CEO Chaouki Bekrar told Threatpost reporter Dennis Fisher. "Every time Adobe updates Flash, they're killing bugs and techniques and sandbox bypasses, and honestly, Adobe is doing a great job making it more secure." (Source)
Not many people in the 1990's and 2000's took the attitude that the only way to secure windows was to uninstall it...
I wouldn't mind the updates so much if there was a way of disabling the GODDAMNED STUPID WARNINGS ABOUT IT BEING OUT OF DATE. ALL THREE OF THEM. (I did see a guide, but it was ridiculously involved, because Java is not inherently manageable it seems. Blocking the URL they check in with seemed to break the usual operation of Java.)
7u17 was good enough yesterday. This morning, first period, girls taking their ECDL tests will be bombarded with messages about security risks. Config Manager only checks in once an hour. No matter how quickly I move, I cannot push out the Java update fast enough to stop the warnings for their exam. The warnings that are only ever asked once, and require a profile reset if the wrong button is clicked.
Not to mention how stuffed I am if this update breaks something else because I've not had time to test it properly thanks to all the unnecessary pressure placed on my users. Believe me, I want a secure network, I want to deploy the best version I can. I do not need you panicking students & breaking paid-for exams to force my hand on the issue.
Brilliant. The new update now flashes up an extra warning when running the ECDL tests, about signed & unsigned code, do you want to block?
I am not sure why Oracle think that creating lots of warnings is better than just securing their thrice-damned software properly. If I could rid myself of it, I would.
Funny we blocked the domain and had no issues. Do you need to push out a deployment.properties using gpp ? Important assuming you can disable the warnings.
I tried disabling java in the browser but found out study island uses it to communicate with the clickers.
I do not use anything that requires java myself so do not see all these warnings and update notifications. I do disable the auto update check, which may help you with some of the nag screens.
We have also had issues with JNLP file associations in the past. I have attached my group policy settings to disable java auto update and fix the JNLP file associations. I’ve also attached my MST that will disable java update during install.
I have these settings in GPP registry for users, and computers.
I hope they help you.
I deploy Java out via SCCM and have an MST file to disable update notifications and hide certain aspects of the Control Panel Applet.
The major issue is remembering to supersede the previous version (Full Uninstall) before deploying the newer update! If you don't it breaks the installation and you need to clean the registry manually before the new version will install.
As I said before - If Oracle could create a SCUP catalog it would make life easier!
There are currently 1 users browsing this thread. (0 members and 1 guests)